Chad Leigh -- Shire.Net LLC wrote: > > On Feb 6, 2006, at 1:29 PM, Björn König wrote: > >> Andre Oppermann schrieb: >> >>> [...] If you have normal users on the host and >>> have jails under the same user id then, yea, tough luck. You're not >>> supposed to do that. [...] >> >> >> Yes, I can prevent from overlapping UIDs, but how to prevent from >> that if host administrator and jail administrator are two >> independent parties? It requires much more carefulness and precautions. > > > Well, the host admin, when detailing services and responsibilities to > the jail admin (I have a similar situation), can tell the jail admin > which range of UIDs to use for new users. I typically use the last > byte of the IP address * 100 as the base. > > Eg, say a jail is 192.168.1.100 then they can start with 10000 as a > UID and go up to 10100. > > Additionally, the host should ideally have no users but the bare > minimum for the admin. All the "host"-based users and services > should ideally be in their own jail. Genrally at Vicor, we had a rule that either all users were in jails, or none were.. A Jail server wasn't considered part of the resources available to users, only the jails themselves. > > And if you can use a common base jail install mounted read only > inside each jail, you will greatly increase security of the jails as > exploits that replace system binaries will fail. > > gruss aus utah > Chad > > > --- > Chad Leigh -- Shire.Net LLC > Your Web App and Email hosting provider > chad at shire.net > > > > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe_at_freebsd.org"Received on Mon Feb 06 2006 - 20:24:18 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:52 UTC